Results 1 to 6 of 6

Thread: Feature Request NDI Access Manager

  1. #1
    Grizzled Veteran jcupp's Avatar
    Join Date
    Feb 2003
    Location
    Bloomington, IN
    Posts
    1,617

    Feature Request NDI Access Manager

    We need a way to secure access to NDI devices on large complicated networks.

    Enormous State U has a dozen campuses, a fiber backbone, hundreds of buildings and tens of thousands of users. NDI would kill on this network but for the skittish IT dept. They are freaked out by the fact that anyone on the same subnet as a PTZ1 camera can both see the video and take control of the camera. Even from a different subnet if they know (or can guess) the IP address they can do the same. Think War PTZing!

    It's not practical to build out a parallel infrastructure or even easy to have a secure subnet spread across 36,000 square miles.

    If we could at least assign a PTZ1 to an Access Manager group they might be OK. A more secure method with centralized access control would be better.
    -Jeff


    My TriCaster Blog
    TriCaster Tally Lights

    Gear Used: TC1, NC1 I/O, TC 460, TC Mini 4i, TS 100, TS 4000

  2. #2
    Registered User
    Join Date
    Aug 2015
    Location
    london
    Posts
    233
    Quote Originally Posted by jcupp View Post
    We need a way to secure access to NDI devices on large complicated networks.

    Enormous State U has a dozen campuses, a fiber backbone, hundreds of buildings and tens of thousands of users. NDI would kill on this network but for the skittish IT dept. They are freaked out by the fact that anyone on the same subnet as a PTZ1 camera can both see the video and take control of the camera. Even from a different subnet if they know (or can guess) the IP address they can do the same. Think War PTZing!

    It's not practical to build out a parallel infrastructure or even easy to have a secure subnet spread across 36,000 square miles.

    If we could at least assign a PTZ1 to an Access Manager group they might be OK. A more secure method with centralized access control would be better.
    In the absence of a better answer to this question, which is appearing in a number of threads......

    I am not 100% sure its a solution but it might be the start of one: Using a RaspberryPi as a firewall / filter / router in-line with the PTZ1

    Some ideas:
    https://opensource.com/life/16/3/fir...k-raspberry-pi

    I wonder if the routing / firewall functionality could be used to route through traffic, but filtered by its source address. In other words filter by sending address to allow only whitelisted devices to control the PTZ1.

    Like I said - this is only the embryo of a solution, but perhaps someone else with more experience with these processes could chime in.

  3. #3
    Registered User roddyp's Avatar
    Join Date
    Sep 2017
    Location
    UK
    Posts
    36
    Quote Originally Posted by jcupp View Post
    If we could at least assign a PTZ1 to an Access Manager group they might be OK. A more secure method with centralized access control would be better.
    I may be wrong here, but I thought Access Manager only controls how groups are "found". I think you can bypass that if you can determine/guess IP Address/port number?

  4. #4
    Registered User
    Join Date
    Aug 2015
    Location
    london
    Posts
    233
    Quote Originally Posted by roddyp View Post
    I may be wrong here, but I thought Access Manager only controls how groups are "found". I think you can bypass that if you can determine/guess IP Address/port number?
    A moderately informed person could see the bonjour registrations with a simple tool like Bonjour Browser, read the NDI Access group, then simply add that group name to the local machine, and indeed it would see the camera via NDI.

    NDI Access is more of a simple crowd control barrier than any sort of security or privacy mechanism. I think the in-line firewall is the right idea unless that functionality can be done by the switch.

    Maybe there is even a product idea there. I was serious about the Raspberry Pi.

  5. #5
    Registered User roddyp's Avatar
    Join Date
    Sep 2017
    Location
    UK
    Posts
    36
    Quote Originally Posted by livepad View Post
    A moderately informed person could see the bonjour registrations with a simple tool like Bonjour Browser. <snip>
    Interesting you should mention that. The only bonjour browsing tool I've found that shows NDI sources is MacOS Bonjour Browser - and that only shows them after you explicitly add "_ndi._tcp" in the preferences under "Browse for known Jaguar services".

    Do you think that's a bug, or by design?
    Last edited by roddyp; 04-12-2018 at 07:02 AM.

  6. #6
    Registered User
    Join Date
    Aug 2015
    Location
    london
    Posts
    233
    Quote Originally Posted by roddyp View Post
    Interesting you should mention that. The only bonjour browsing tool I've found that shows NDI sources is MacOS Bonjour Browser - and that only shows them after you explicitly add "_ndi._tcp" in the preferences under "Browse for known Jaguar services".

    Do you think that's a bug, or by design?
    There is a pref "Browse for all available services". - if you turn that on you will see everything bonjour.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •